Passwords are stored using a one-way algorithm. This secures it against attackers, but also prevents recovery.

If a user loses or forgets their password, a Global Administrator can reset it using the ScrumWorks Pro Desktop Client's User Manager. If all Global Administrators lose or forget their passwords, please contact support for further instructions.

1. The ScrumWorks Pro server should be configured to connect to LDAP via SSL (LDAPS).
2. The ScrumWorks Pro server should be configured to use HTTPS. If you are using LDAP, the passwords sent from the client to the server are sent as clear text (no encryption). This is because the LDAP server needs the original password to compare against its database. To prevent password sniffing, HTTPS is required for all client/server communication.

https://<hostname>:8443/scrumworks

To take full advantage of increased password security, the ScrumWorks Pro server should be configured to use HTTPS. To prevent password sniffing, HTTPS is required for all client/server communication. Please see the guide on HTTPS Configuration.

ScrumWorks Pro supports enforcing strong user passwords entered into the system when using ScrumWorks authentication. LDAP authentication uses the LDAP server's password restrictions. This guide is intended to be used by your organization's system administrator.

To enable the enforcing strong passwords, edit the following file:

<SW Installation Directory>/server/scrumworks/conf/login-config.xml

Within this file locate the following line in the ScrumWorks application-policy tag:

<module-option name="requireStrongPasswords">false</module-option>

If the line is missing, add the above line to the following login-module:

<login-module code="com.danube.scrumworks.auth.ScrumWorksLoginModule" flag="sufficient">

Set the value to true to enforce strong passwords.

The ScrumWorks Pro server must be restarted for this change to take effect.